Pharma giant Pfizer has leaked the private medical data of prescription-drug users in the U.S. for months or even years, thanks to an unprotected Google Cloud storage bucket.
The exposed data includes phone-call transcripts and personally-identifiable information (PII), according to vpnMentor’s cybersecurity research team. The victims include people using pharmaceuticals like Lyrica, smoking-cessation aid Chantix, Viagra, menopause drug Premarin, and cancer treatments such as Aromasin, Depo-Medrol and Ibrance. Some of the transcripts were related to conversations about Advil, which is manufactured by Pfizer in a joint venture with GlaxoSmithKline.
“Initially, we suspected the misconfigured bucket to be related to just one of the medication brands exposed,” researchers explained. “However, upon further investigation, we found files and entries connected to various brands owned by Pfizer. Eventually, our team concluded the bucket most likely belonged to the company’s U.S. Drug Safety Unit (DSU).”
The PII includes full names, home addresses, email addresses, phone numbers, and partial details for health and medical status, vpnMentor noted. But perhaps more concerning are the transcripts, which are related to Pfizer’s automated customer-support system.
The company captured conversations with customers calling into the company’s interactive voice response (IVR) customer support asking about refills, side-effects and the like.
“The folder containing the transcripts was named ‘escalations,’ suggesting they were part of an automated internal process managing customer queries and complaints,” according to a vpnMentor blog post on Tuesday. “We also reviewed transcripts in which the conversation was ‘escalated’ to human customer support agents. It appeared these agents were registered nurses representing Pfizer in matters relating to its pharmaceutical brands.”
Hundreds of people were exposed, with some of the information dating back to October 2018. Researchers discovered the bucket open to the internet (with no passwords or usernames required) in July. After several attempts to contact the company, the bucket was finally made private on Sept. 23.
“It took two months, but eventually, we received a reply from the company,” according to vpnMentor. “When they finally replied, all we received was the following statement: ‘From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all).’ This was a surprising response from one of the biggest companies in the world.”
After sharing a file with a sample of customers’ PII data with the company, the bucket was secured but vpnMentor received no further communication from Pfizer, it said.
When Threatpost reached out to the drug giant for comment, a spokesperson said: “Pfizer is aware that a small number of non-HIPAA data records on a vendor-operated system used for feedback on existing medicines were inadvertently publicly available. We take privacy and product feedback extremely seriously. To that end, when we became aware of this event we ensured the vendor corrected the issue and notifications compliant with applicable laws will be sent to individuals.”
No Prescription for Cyberhealth
There are a variety of attacks that cybercriminals could carry out if they had gained access to the information. It’s unclear how long in total the bucket was exposed, and there’s no way of knowing if nefarious types dipped into it.
For one, hackers could mount highly convincing phishing campaigns using a combination of the PII and the details of the medical prescriptions the targets are taking.
“Hackers could easily trick victims by appearing as Pfizer’s customer-support department and referencing the conversations taking place in the transcripts,” explained vpnMentor researchers.
They added, “For example, many people were enquiring about prescription refills and other queries. Such circumstances give cybercriminals a great opportunity to pose as Pfizer and request card details in order to proceed with the refills.”
Attackers could also use the data to phish additional information about a patient, such as their home address, and could from there completely steal the person’s identity. They could hijack prescription refills, or, in the worst case, “destroy a person’s financial wellbeing and create tremendous difficulty in their personal lives.”
And then there’s the malware aspect. A malicious link in a convincing email could lead to malware execution on the user’s device, which in turn could compromise an entire network to which the device is connected.
Researchers at vpmMentor also pointed out the potential physical-safety ramifications of the exposure.
“There’s a high probability the people exposed in these transcripts are experiencing ill health, physically and emotionally,” according to the report. “One of the medicines referenced, Lyrica, used to treat anxiety disorders, while others, such as Ibrance and Aromasin, are used in the treatment of cancer. At the time of the data breach, coronavirus was still surging across the U.S.A. If cybercriminals had successfully robbed from or defrauded someone taking medication for anxiety in any way, the potential impact on their mental health is immeasurable and impossible to understate.”
Rampant Cloud Misconfigurations
A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in September found. The study from Comparitch showed that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.
And 2020 has indeed had its share of high-profile incidents. Just last week, Broadvoice, a well-known VoIP provider that serves small- and medium-sized businesses, was found to have leaked more than 350 million customer records related to the company’s “b-hive” cloud-based communications suite.
Among other incidents this fall, an estimated 100,000 customers of Razer, a purveyor of high-end gaming gear ranging from laptops to apparel, had their private info exposed via a misconfigured Elasticsearch server. And, a misconfigured, Mailfire-owned Elasticsearch server impacting 70 dating and e-commerce sites was found leaking PII and details such as romantic preferences. Also, the Wales arm of the U.K.’s National Health Service announced that PII for Welsh residents who had tested positive for COVID-19 was exposed via a public cloud upload.
This story was updated at 4:15 p.m. ET on Oct. 20, 2020, to include a statement from Pfizer.